A security system vendor gave us two vms of their product to put on our network. I ran a Non destructive Full and Fast scan (via OSSIM) on the network and their device triggered VULNID 103811 EJBInvokerServlet / JMXInvokerServlet Marshalled Object, which is Severity 10. I told them and they gave many reasons, a different reason every time I questioned the previous reason.
After many questions, I asked them "Is this a false positive? Is our scanner actually not detecting unauthenticated access to EJBInvokerServlet or JMXInvokerServlet? "
and I gave them this link to check the actual script: https://vulners.com/openvas/OPENVAS:1361412562310103811
Their latest answer is "I tested the exploit on Friday with our new architect the same linked in the vulnerability mentioned in your email below and it’s a false positive, it doesn’t give me a php prompt like it should.
Is that a good answer? Since they didn’t get a PHP prompt, does that mean the vulnerability is not present?